| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Allowing :controller and :action values to be specified via the path
in config/routes.rb has been an underlying cause of a number of issues
in Rails that have resulted in security releases. In light of this it's
better that controllers and actions are explicitly whitelisted rather
than trying to blacklist or sanitize 'bad' values.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries
that support multiple Rails versions would've had to feature-detect
whether to use `Mime::Type[:FOO]` or `Mime::FOO`.
`Mime[:foo]` has been around for ages to look up registered MIME types
by symbol / extension, though, so libraries and plugins can safely
switch to that without breaking backward- or forward-compatibility.
Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup
by type or extension, so it's not available as `Mime[:all]`. We use it
internally as a wildcard for `respond_to` negotiation. If you use this
internal constant, continue to reference it with `Mime::ALL`.
Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
|
| |
|
|
|
| |
We should be asking the mime type method for the mime objects rather
than via const lookup
|
| |
|
|
|
|
|
|
|
| |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| |
|
|
|
|
| |
We want to treat the response object as if it's a real response object
(not a test object), so we should only call methods that are on the
superclass.
|
| | |
|
| | |
|
| |
|
|
| |
`head` method works similar to `render` method with `:nothing` option
|
| |
|
|
|
|
|
|
| |
Non-kwargs requests are deprecated now.
Guides are updated as well.
`post url, nil, nil, { a: 'b' }` doesn't make sense.
`post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
|
| |
|
|
| |
unknown layout type
|
| | |
|
| |\
| |
| |
| |
| | |
Conflicts:
actionpack/CHANGELOG.md
|
| | |
| |
| |
| |
| | |
The test was not failing for `assert_template file: nil` when a file
has been rendered.
|
| | | |
|
| |/ |
|
| |
|
|
|
|
| |
Change most tests to make use of assert_raise returning the raised
exception rather than relying on a combination of flunk + rescue to
check for exception types/messages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some instances, `assert_redirected_to` assertion was returning an
incorrect and misleading failure message when the assertion failed.
This was due to a disconnect in how the assertion computes the redirect
string for the failure message and how `redirect_to` computes the
string that is actually used for redirection.
I made the `_compute_redirect_to_loaction` method used by `redirect_to`
public and call that from the method `assert_redirect_to` uses to
calculate the URL.
The reveals a new test failure due to the regex used by
`_compute_redirect_to_location` allow `_` in the URL scheme.
|
| | |
|
| |
|
|
| |
This worked in Rails 3.2, but was a regression in 4.0.0.beta1
|
| |
|
|
|
| |
They don't add any benefits over `assert object.blank?`
and `assert object.present?`
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
For instance, it prevents false positive in this case:
file = nil
get :index
assert_template("#{file}")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Given Im rendering an template `/layout/hello.html.erb`, assert_template was
passing with any string that matches. This behavior allowed false passing like:
assert_template "layout"
assert_template "out/hello"
Now the passing possibilities are:
assert_template "layout/hello"
assert_template "hello"
fixing assert_template bug when template matches expected, but not ends with
Cherry Pick Merge: Fixes issue #3849 assert_template false positive
taking redundant test off
prevening incorrect assert_template when rendering with repeated names in path
updating CHANGELOG with bugfix: assert_template false passing
|
| |
|
|
|
|
| |
This is another step in moving Action View's dependencies in Action Pack
to Action View itself. Also, HtmlScanner seems to be better suited for
views rather than controllers.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| | |
|
| |
|
|
| |
This reverts commit f53c247d10acbaacb0d61824cfce888c4b0520d2.
|
| | |
|
| |
|
|
| |
decides to adventure on this code.
|
| | |
|
| |
|
|
| |
initialized"
|
| |
|
|
|
|
|
|
|
|
| |
Currently if you're do this:
assert_template :layout => "foo"
Regardless of what layout you were using, the test will always pass. This was broken since the introduction of :layout option in [d9375f3f].
We have a lot of test cases in actionpack/test/controller/layout_test.rb that use this feature. This will make sure that those test cases are not true negative.
|
| | |
|
| |
|
|
|
|
| |
[#5997 state:resolved]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
| | |
|
| | |
|
| |
|
|
|
|
| |
with \d.
'The scheme name consists of a letter followed by any combination of letters, digits, and the plus ("+"), period ("."), or hyphen ("-") characters; and is terminated by a colon (":").'
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
